How to Secure Apache with Free Let’s Encrypt SSL Certificate on Ubuntu and Debian

You have a newly registered domain name and your web server operates with a SSL Self-Signed Certificate issued by you which is causing headaches for your clients while they visit the domain due to certificate’s generated errors? You have a limited budget and you can’t afford to buy a certificate issued by a trusted CA? This is when Let’s Encrypt software comes into scene and saves the day.

If you’re looking to install Let’s Encrypt for Apache or Nginx on RHEL, CentOS, Fedora or Ubuntu and Debian, follow these guides below:

Let’s Encrypt is a Certificate Authority (CA) which facilitates you in acquiring free SSL/TLS certificates needed for your server to run securely, making a smooth browsing experience for your users, without any errors.

Testing Sample Environment

Secure Apache with Let’s Encrypt SSL Certificate on Debian and Ubuntu

All the steps required to generate a certificate are, mostly, automated for Apache webserver. However, despite your web server software, some steps must be manually done and the certificates must be manually installed, especially in case your website content is served by Nginx daemon.

This tutorial will guide you on how you can install Let’s Encrypt software on Ubuntu 14.04 or Debian 8, generate and obtain a free certificate for your domain and how you can manually install the certificate in Apache and Nginx webservers.

Requirements

A public registered domain name with valid A records to point back to your server external IP Address. In case your server is behind a firewall take the necessary measures to ensure that your server is word-wide accessible from internet by adding port forward rules on the router side.

Apache web server installed with SSL module enabled and virtual hosting enabled, in case you host several domains or subdomains.

Step 1: Install Apache and Enable SSL Module

1. If you don’t have Apache webserver already installed on your machine issue the following command to install apache daemon.

Visitors can now access your domain name via HTTPS protocol. However, because your server self-signed certificate is not issued by a trusted certificate authority an error alert would be displayed on their browsers as illustrated on the image below.

https://yourdomain.com

Verify SSL Encryption on Website

Step 2: Install Free Let’s Encrypt Client

3. In order to install Let’s Encrypt software on your server you need to have git package installed on your system. Issue the following command to install git software:

$ sudo apt-get -y install git

4. Next, choose a directory from your system hierarchy where you want to clone Let’s Encrypt git repository. In this tutorial we will use /usr/local/ directory as installation path for Let’s Encrypt.

Switch to /usr/local directory and install letsencrypt client by issuing the following commands:

Step 4: Generate a SSL Certificate for Apache

5. The process of obtaining a SSL Certificate for Apache is automated thanks to Apache plugin. Generate the certificate by issuing the following command against your domain name. Provide your domain name as a parameter to the -d flag.

6. Agree the license, enter an email address for recovery and choose whether clients can browse your domain using both HTTP protocols (secure and insecure) or redirect all non-secure requests to HTTPS.

Accept Letsencrypt Agreement

Enter Email Address

7. After the installation process finishes successfully a congratulation message is displayed on your console informing you about the expiration date and how you can test the configuration as illustrated on the below screenshots.

Letsencrypt Installation Finishes

Letsencrypt Enabled on Website

Now you should be able to find your certificate files at /etc/letsencrypt/live directory with a simple directory listing.

$ sudo ls /etc/letsencrypt/live

Letsencrypt SSL Certificates

8. Finally, to verify the status of your SSL Certificate visit the following link. Replace the domain name accordingly.

https://www.ssllabs.com/ssltest/analyze.html?d=your_domain.tld&latest

Verify Letsencrypt SSL Certificate on Website

Also, visitors can now access your domain name using HTTPS protocol without any error appearing in their web browsers.

Step 4: Auto Renew Lets Encrypt Certificates

9. By default, certificates issued by Let’s Encrypt authority are valid for 90 days. In order to renew the certificate before the expiration date you must manually run the client again using the exact flags and parameters as earlier.

13 Responses

Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

I just got one issue how can I tell CloudFront about the certificate? because when I edit my “Distribution” on Cloudfront and go to edit it to custom SSL it does not let me choose this option but, I see that certificate is there, what I am doing wrong?